Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
ezfe 3 hours ago

Doesn’t seem like a bug to me - it’s just a poor UI. Two different security systems both working properly but only one has a UI to show the protections.

lapcat 3 hours ago | parent [-]

Why would you think it's "working properly"?

The app somehow gained a permanent permission that I didn't give and that I can't remove no matter what I do. That's not working properly in any sense.

kccqzy 2 hours ago | parent [-]

It’s working properly in the sense that the Apple-provided file picker UI is designed to give permanent file permission access to an app. But the user thinks that access is temporary. It’s a mismatch between the user’s mental model and what’s actually happening.

lapcat an hour ago | parent [-]

> It’s working properly in the sense that the Apple-provided file picker UI is designed to give permanent file permission access to an app.

In the case of sandboxed apps, this is not true. The open panel provides temporary access, and a sandboxed app needs to create a security-scoped bookmark to retain persistent access across launches.

For non-sandboxed apps, it's usually not an issue, because non-sandboxed apps have access to most of the file system by default. The weirdness occurs only for certain files and folders that are restricted by TCC, such as Desktop and Documents. But for non-restricted folders, nothing needs to be done. Observe that if you use the Open from folder... command from Insent on a non-restricted folder, then no com.apple.macl is set on the folder. No special permanent access is granted, because none is required. The only time the system automatically grants permanent access is with TCC-restricted files and folders, so we can't pretend that this is a "normal" thing.

In general, non-sandboxed apps don't even need the open panel for file access. They can just read whatever file they want... except for the TCC-restricted files. The purpose of the open panel in a non-sandboxed app is just to provide a file picker UI to the user.

kccqzy an hour ago | parent [-]

The security-scoped bookmark is exactly why a user should treat all macOS file access permission prompts as permanent. There is also no UI to show to a user whether an app has created a security-scoped bookmark.

And this is for sandboxed apps. You correctly point out that non-sandboxed apps have even more access. So a user’s mental model should be that all open dialogs grant permanent access.